interesting MX ssh tickle

[Carter Bullard]

Gentle people,
Just as a side, about 90 minutes ago here at QoSient WHQ, some
Mexican machine was trying to ssh into one my of machines using
every account name you can think of, even "harrypotter".  It gave
up after about 20 minutes, and a couple thousand tries.  Even if
they had been successful I'm thinking that he/she/it would have
been disappointed ;o)

The interesting thing is I know it didn't originate from a machine
in Mexico, although the  address was clearly from a delegated
Mexican CIDR block,  and the reverse lookup for the address was
from a Mexican DNS server, so it all looked like things were from
Mexico.

But, its pretty clear that the TCP connections didn't originate from
our fair southern border.  I know this because  the "tcprtt" for all
the attempts, averaged 1.278 mSecs, and that doesn't seem like
Mexico <-> NYC round trip times.  Here in NYC, we have real IP
addresses from all over, because of the UN, consulate machines
etc...., but 1.2 mSecs is what about 200 miles as the electrons fly,
probably in the order of 20-30 miles as the packets fly, and when
you subtract the host delay, we're talking anywhere from 2-15
miles.  Mexico is about 2300 miles away, so you'd expect something
in the 90-120 mSec range.

So, lesson is, its important to keep the ethernet addresses, so
you can confirm that the traffic is coming from within your LAN,
or the office/school  building or next door or from your real serivce
provider's router. I suspect that someone is having some fun
at one of the ISP's expenses, or using a wireless router to bang
at my machine set.

I saw this using ratop().

    ratop -S argus.source -s +1sco +2dco +tcprtt

I always have a ratop() running that is collecting from my outermost
argus, so I can see what is happening in real-time.  I'm sure that this
type of stuff is going on all the time, but it is interesting how  
someone
could be using a Mexican IP address in New York City :o)

If you wanted to find records from MX in your archive, you would use:

    ralabel -r argus.data w - | ra -s +1sco - src co MX

If you wanted to find anything that wasn't from your own country,
so for here that would be US, try:

    ralabel -r argus.data -w - | ra -s +1sco - cocode and src co not US

You need the cocode (country code) filter keyword to make sure
there actually is a country code in the record ,and then you can
test if the value is not US.

Carter


On Oct 4, 2007, at 1:44 PM, CS Lee wrote:

> Hi Carter,
>
> Thanks, my fault as I have confused with my multiple versions  
> installation of argus.
>
> It works great and print out the country code, I haven't tried the  
> shell script to fetch the country codes file yet but it works great  
> for now.
>
> Thanks.
>
> On 10/5/07, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> Hmmm, that sounds like an earlier version of ra, reading a new
> .rarc file, or your ../argus/rarc file has something funky in it.
>
> What's on line 265, and what version of ra are you running?
>
> Carter
>
>
> On Oct 4, 2007, at 1:05 PM, CS Lee wrote:
>
>> Hi Carter,
>>
>> I have activated the country code printing by adding this line
>>
>> RA_DELEGATED_IP="/usr/local/stow/argusc-3RC58/argus/delegated-ipv4- 
>> latest"
>>
>> Just to mention I didn't change the path in Makefile when I  
>> compile, and I think it's possible to just change the path in ra  
>> config(rarc), when I run it with the above feature enabled, i got
>>
>> ra[14014]: 01:04:54.648965 ../argus/rarc: syntax error line 265
>>
>> Must I change the default path in Makefile, I haven't tried yet  
>> but I think it should be flexible.
>>
>> Cheers.
>>
>> -- 
>> Best Regards,
>>
>> CS Lee<geekooL[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>
>
>
>
> -- 
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
> http://geek00l.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071004/13890aee/attachment.html>